Re: [OAUTH-WG] Feedback on OAuth for browser-based Apps
Justin Richer <jricher@mit.edu> Thu, 25 July 2019 11:45 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27784120020 for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2019 04:45:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R231PIflZIs3 for <oauth@ietfa.amsl.com>; Thu, 25 Jul 2019 04:45:02 -0700 (PDT)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 918D4120019 for <oauth@ietf.org>; Thu, 25 Jul 2019 04:45:02 -0700 (PDT)
Received: from w92exedge3.exchange.mit.edu (W92EXEDGE3.EXCHANGE.MIT.EDU [18.7.73.15]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id x6PBj6Pp025569; Thu, 25 Jul 2019 07:45:11 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by w92exedge3.exchange.mit.edu (18.7.73.15) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Thu, 25 Jul 2019 07:44:15 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by oc11expo18.exchange.mit.edu (18.9.4.49) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Thu, 25 Jul 2019 07:44:55 -0400
Received: from oc11expo18.exchange.mit.edu ([18.9.4.49]) by oc11expo18.exchange.mit.edu ([18.9.4.49]) with mapi id 15.00.1365.000; Thu, 25 Jul 2019 07:44:55 -0400
From: Justin Richer <jricher@mit.edu>
To: David Waite <david@alkaline-solutions.com>
CC: Aaron Parecki <aaron@parecki.com>, OAuth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Feedback on OAuth for browser-based Apps
Thread-Index: AQHVQFTCWkkZA5TKMEWuwVFaVw4YoabaiM8AgAC44ACAAD13gA==
Date: Thu, 25 Jul 2019 11:44:55 +0000
Message-ID: <DC16FB06-32A8-4CF9-999F-FB9F58E67B99@mit.edu>
References: <CAO7Ng+tyHaKQgJ4PcrcEpMcteqvdH2PE1CQP5j+5DqKJWuKPoQ@mail.gmail.com> <CAGBSGjoexpLjzOcBV+wjH6+CtRROB1ZbPre+7DgfipsO1RgVOQ@mail.gmail.com> <F6536A63-6950-4A05-A35C-B8215BB04277@alkaline-solutions.com>
In-Reply-To: <F6536A63-6950-4A05-A35C-B8215BB04277@alkaline-solutions.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [31.133.148.255]
Content-Type: multipart/alternative; boundary="_000_DC16FB0632A84CF9999FFB9F58E67B99mitedu_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4EcpIngt5EkkcaOs0Q_PAq85QOA>
Subject: Re: [OAUTH-WG] Feedback on OAuth for browser-based Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 11:45:05 -0000
This raises an interesting question that I don’t think we’ve addressed yet: how to appropriately vary token lifetimes and access for different clients. Previously, an AS could see that a client was using the implicit flow and decide to limit token lifetimes or scopes based on that alone. Similarly, I know of at least some AS implementations that let you limit what scopes you allow under the client credentials grant. The key issue is that if all your clients are using the auth code flow (which I agree they should), then how does an AS tell the difference in capabilities between incoming clients? Obviously it can do it on a per-client basis still, but now an AS is going to have to know a bit more about the app itself. Perhaps we finally need a few more entries in the “application_type” metadata parameter from OIDC’s extension RFC7591 beyond “native” and “web”? But we at least probably want to point out to AS implementors that this is something they want to consider tracking in their data model for clients. — Justin On Jul 25, 2019, at 4:04 AM, David Waite <david@alkaline-solutions.com<mailto:david@alkaline-solutions.com>> wrote: On Jul 24, 2019, at 3:03 PM, Aaron Parecki <aaron@parecki.com<mailto:aaron@parecki.com>> wrote: On Mon, Jul 22, 2019 at 2:14 AM Dominick Baier <dbaier@leastprivilege.com<mailto:dbaier@leastprivilege.com>> wrote: <snip> I would rather say that ANY JS app should use CSP to lock down the browser features to a minimal attack surface. In addition, if refresh or access tokens are involved - further settings like disabling inline scripting (unsafe inline) and eval should be disabled. I'm not sure what to do with this suggestion. It feels like a blanket recommendation of enabling CSP will likely be ignored since it's too broad, and recommending disabling inline scripts is overreaching unless backed up by a specific threat it's protecting against. Did you have a particular threat in mind? I would say that browser applications should take measures to harden their applications again code injection and arbitrary code execution. Examples include eliminating inline script (and limiting embeddable objects as much as possible) via CSP, and versioning third party resources via techniques like subresource integrity. Mechanisms such as augmenting the codebase to make sure all appropriate user input, data storage, and output properly sanitize data may be used - although they may be more expensive to implement and audit. The AS should likewise take into account an application’s overall security posture when deciding appropriate policies around delegated authorization scopes and token lifetimes. Best current practices include turning the screws tightly around CSP. But it is (theoretically) possible to accomplish the same with brute-force sanitization, which has been made simpler with framework support. It is still ultimately the AS job to decide which clients have which capabilities. -DW _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Feedback on OAuth for browser-based Ap… Dominick Baier
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Dominick Baier
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Neil Madden
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Filip Skokan
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Dominick Baier
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Neil Madden
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Aaron Parecki
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Dominick Baier
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… David Waite
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Justin Richer
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Filip Skokan
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Justin Richer
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… Leo Tohill
- Re: [OAUTH-WG] Feedback on OAuth for browser-base… n-sakimura